Sunday, January 11, 2015

Allow and Deny network traffic by using Extended Port Access Control List on Hyper-V switch

In Windows Server 2012, Microsoft added a feature on a Hyper-V switch which is Port Access Control Lists (ACLs) to configure network traffic on virtual machines. To configure Port Access Control Lists (ACLs), we have to perform PowerShell cmdlets to configure it. The cmdlets are Get-VMNetworkAdapterAcl, Add-VMNetworkAdapterAcl and Remove-VMNetworkAdapterAcl. In Windows Server 2012 version, there are only few options for administrators to configure it. we can allow or deny inbound, outbound or both traffic to virtual machines which are based on MAC or IP address but we cannot specific both local IP or remote IP address in the same rule. If there are multi-NICs in virtual machines, we can specific the vNIC of virtual machines to apply the rule. There is no option to configure rules which are based on a specific port or protocol for virtual machines.

One important thing of Port Access Control Lists is "Action: Allow" override "Action:Deny".In Windows Server 2012 R2, added another feature to Hyper-V switch which is Extended Port Access Control Lists (ACLs). Microsoft added more detailed options into other cmdlets, Get-VMNetworkAdapterExtendedAcl, Add-VMNetworkAdapterExtendedAcl and Remove-VMNetworkAdapterExtendedAcl to let us to configure the ACL rules for virtual machines. We can add parameter of Add-VMnetworkAdapterExtendedAcl to allow or deny traffic of specific ports, protocol, VLAN and so on for vNIC or virtual machines. Add-VNnetworkAdapterExtendedAcl came with weight parameter to let us to determine the order of the rule. The rule with higher integer weight will be applied first. There is an option, stateful ACL rules.

Remark: You cannot use same integer weight to apply 2 same direction rules.

Reference from MicrosoftA stateful rule filters packets based on five attributes in a packet - Source IP, Destination IP, Protocol, Source Port, and Destination Port.How about Windows Server Technical Preview (vNext)?There is no information about Extended Port Access Control Lists for Windows Server Technical Preview at this moment. In the Nov of 2014, Microsoft announced Azure Network Security Groups for Microsoft Azure. We can create a group and and then add virtual machines to the group to apply network rules like Extended Port Access Control Lists in Microsoft Azure. However, there is a limitation of this feature is the network traffic running in virtual network (vNet). In my opinion, it's enhanced Extended Port Access Control Lists which is available for Microsoft Azure. Microsoft might consider adding this feature on the next version of Windows Server.More informationCreate Security Policies with Extended Port Access Control Lists for Windows Server 2012 R2Network Security GroupsAbout Network Security Groups

This posting is provided “AS IS” with no warranties, and confers no rights!